Affected: MailStore Server >= 9.3

Problem: When connecting to the archive the error message "Authentication failed because the remote party has closed the transport stream." occurs. This is caused by SSL certificates that still use an MD5-hash based signature algorithm.

Background: Since MailStore Server 9.3 the only supported encryption protocols are TLS 1.0, TLS 1.1 and TLS 1.2. On recent Windows operating systems TLS 1.2 is typically used for the connection between MailStore Client and MailStore Server. Windows' own Security Support Provider (SSP, also known as Secure Channel or Schannel) prohibits the use of MD5-hash based signature algorithms for connections that are secured with TLS 1.2. Thus Schannel prohibits establishing a client/server connection if the certificate utilized by MailStore Server uses MD5-hash based signature algorithms.

Solution: In the following scenarios, MD5-hash based signature algorithms may still be in use:

1. Environments in which the self-signed SSL certificate created by the installer is used and where this certificate has initially been creating during the installation of MailStore Server 5 or older. In this case, follow the instructions in the Deploying a Self-signed SSL Certificate article in order to create a new self-signed certificate.
2. Envrionments in which the certificate used by MailStore Server has been signed by an enterprise certificate authority (Enterprise CA) or a trusted root certificate authority (Trusted Root CA) and where the certificate signing request or the certificate itself used an MD5-hash based signature algorithm. Please note that these certificates were neither issued in recent years (approx. since 2010) nor are they supported by recent generations of web browsers. In this case, follow the instructions in the Using Your Own SSL Certificate article.

Article-ID: KB20150820-1-EN (Deutsche Version)